If the use of ECB is appropriate (which it may well be for this application) then the fact that is was used is not an indication of "brain dead" decision making. I would be much more worried if they made the system unnecessarily complicated (and thus more vulnerable) just because they thought the presence of ECB would be bad for marketing.
> then the fact that is was used is not an indication of "brain dead" decision making.
I didn't mean using it was brain dead, i mean using it without knowing the implications might lead to (accidentally) using it in in a brain dead way. For example, I could see them implementing the protocol and testing it without crypto and then simply adding crypto on top of it without thinking about the crypto portion.
